2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
10 * This software was developed for the FreeBSD Project in part by NAI Labs,
11 * the Security Research Division of Network Associates, Inc. under
12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
13 * CHATS research program.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The names of the authors may not be used to endorse or promote
24 * products derived from this software without specific prior written
27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * Developed by the TrustedBSD Project.
44 * Framework for extensible kernel access control. Kernel and userland
45 * interface to the framework, policy registration and composition.
49 #include "opt_devfs.h"
51 #include <sys/param.h>
52 #include <sys/extattr.h>
53 #include <sys/kernel.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
58 #include <sys/module.h>
60 #include <sys/systm.h>
61 #include <sys/sysproto.h>
62 #include <sys/sysent.h>
63 #include <sys/vnode.h>
64 #include <sys/mount.h>
66 #include <sys/namei.h>
67 #include <sys/socket.h>
69 #include <sys/socketvar.h>
70 #include <sys/sysctl.h>
74 #include <vm/vm_map.h>
75 #include <vm/vm_object.h>
77 #include <sys/mac_policy.h>
79 #include <fs/devfs/devfs.h>
81 #include <net/bpfdesc.h>
83 #include <net/if_var.h>
85 #include <netinet/in.h>
86 #include <netinet/ip_var.h>
91 * Declare that the kernel provides MAC support, version 1. This permits
92 * modules to refuse to be loaded if the necessary support isn't present,
93 * even if it's pre-boot.
95 MODULE_VERSION(kernel_mac_support, 1);
97 SYSCTL_DECL(_security);
99 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
100 "TrustedBSD MAC policy controls");
102 #ifndef MAC_MAX_POLICIES
103 #define MAC_MAX_POLICIES 8
105 #if MAC_MAX_POLICIES > 32
106 #error "MAC_MAX_POLICIES too large"
108 static unsigned int mac_max_policies = MAC_MAX_POLICIES;
109 static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
110 SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
111 &mac_max_policies, 0, "");
113 static int mac_late = 0;
115 static int mac_enforce_fs = 1;
116 SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
117 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
118 TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
120 static int mac_enforce_network = 1;
121 SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
122 &mac_enforce_network, 0, "Enforce MAC policy on network packets");
123 TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
125 static int mac_enforce_pipe = 1;
126 SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
127 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
128 TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
130 static int mac_enforce_process = 1;
131 SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
132 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
133 TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
135 static int mac_enforce_socket = 1;
136 SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
137 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
138 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
140 static int mac_enforce_vm = 1;
141 SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
142 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
143 TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
145 static int mac_label_size = sizeof(struct mac);
146 SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
147 &mac_label_size, 0, "Pre-compiled MAC label size");
149 static int mac_cache_fslabel_in_vnode = 1;
150 SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
151 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
152 TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
153 &mac_cache_fslabel_in_vnode);
155 static int mac_vnode_label_cache_hits = 0;
156 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
157 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
158 static int mac_vnode_label_cache_misses = 0;
159 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
160 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
162 static int mac_mmap_revocation = 1;
163 SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
164 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
166 static int mac_mmap_revocation_via_cow = 0;
167 SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
168 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
169 "copy-on-write semantics, or by removing all write access");
172 SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
173 "TrustedBSD MAC debug info");
175 static int mac_debug_label_fallback = 0;
176 SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
177 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
178 "when label is corrupted.");
179 TUNABLE_INT("security.mac.debug_label_fallback",
180 &mac_debug_label_fallback);
182 SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
183 "TrustedBSD MAC object counters");
185 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
186 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
189 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
190 &nmacmbufs, 0, "number of mbufs in use");
191 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
192 &nmaccreds, 0, "number of ucreds in use");
193 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
194 &nmacifnets, 0, "number of ifnets in use");
195 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
196 &nmacipqs, 0, "number of ipqs in use");
197 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
198 &nmacbpfdescs, 0, "number of bpfdescs in use");
199 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
200 &nmacsockets, 0, "number of sockets in use");
201 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
202 &nmacpipes, 0, "number of pipes in use");
203 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
204 &nmacmounts, 0, "number of mounts in use");
205 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
206 &nmactemp, 0, "number of temporary labels in use");
207 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
208 &nmacvnodes, 0, "number of vnodes in use");
209 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
210 &nmacdevfsdirents, 0, "number of devfs dirents inuse");
213 static int error_select(int error1, int error2);
214 static int mac_externalize(struct label *label, struct mac *mac);
215 static int mac_policy_register(struct mac_policy_conf *mpc);
216 static int mac_policy_unregister(struct mac_policy_conf *mpc);
218 static int mac_stdcreatevnode_ea(struct vnode *vp);
219 static void mac_check_vnode_mmap_downgrade(struct ucred *cred,
220 struct vnode *vp, int *prot);
221 static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
222 struct ucred *cred, struct vm_map *map);
224 static void mac_destroy_socket_label(struct label *label);
226 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
227 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
230 * mac_policy_list_lock protects the consistency of 'mac_policy_list',
231 * the linked list of attached policy modules. Read-only consumers of
232 * the list must acquire a shared lock for the duration of their use;
233 * writers must acquire an exclusive lock. Note that for compound
234 * operations, locks should be held for the entire compound operation,
235 * and that this is not yet done for relabel requests.
237 static struct mtx mac_policy_list_lock;
238 static LIST_HEAD(, mac_policy_conf) mac_policy_list;
239 static int mac_policy_list_busy;
240 #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \
241 "mac_policy_list_lock", NULL, MTX_DEF);
242 #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock);
243 #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock);
245 #define MAC_POLICY_LIST_BUSY() do { \
246 MAC_POLICY_LIST_LOCK(); \
247 mac_policy_list_busy++; \
248 MAC_POLICY_LIST_UNLOCK(); \
251 #define MAC_POLICY_LIST_UNBUSY() do { \
252 MAC_POLICY_LIST_LOCK(); \
253 mac_policy_list_busy--; \
254 if (mac_policy_list_busy < 0) \
255 panic("Extra mac_policy_list_busy--"); \
256 MAC_POLICY_LIST_UNLOCK(); \
260 * MAC_CHECK performs the designated check by walking the policy
261 * module list and checking with each as to how it feels about the
262 * request. Note that it returns its value via 'error' in the scope
265 #define MAC_CHECK(check, args...) do { \
266 struct mac_policy_conf *mpc; \
269 MAC_POLICY_LIST_BUSY(); \
270 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
271 if (mpc->mpc_ops->mpo_ ## check != NULL) \
272 error = error_select( \
273 mpc->mpc_ops->mpo_ ## check (args), \
276 MAC_POLICY_LIST_UNBUSY(); \
280 * MAC_BOOLEAN performs the designated boolean composition by walking
281 * the module list, invoking each instance of the operation, and
282 * combining the results using the passed C operator. Note that it
283 * returns its value via 'result' in the scope of the caller, which
284 * should be initialized by the caller in a meaningful way to get
285 * a meaningful result.
287 #define MAC_BOOLEAN(operation, composition, args...) do { \
288 struct mac_policy_conf *mpc; \
290 MAC_POLICY_LIST_BUSY(); \
291 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
292 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
293 result = result composition \
294 mpc->mpc_ops->mpo_ ## operation (args); \
296 MAC_POLICY_LIST_UNBUSY(); \
300 * MAC_PERFORM performs the designated operation by walking the policy
301 * module list and invoking that operation for each policy.
303 #define MAC_PERFORM(operation, args...) do { \
304 struct mac_policy_conf *mpc; \
306 MAC_POLICY_LIST_BUSY(); \
307 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
308 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
309 mpc->mpc_ops->mpo_ ## operation (args); \
311 MAC_POLICY_LIST_UNBUSY(); \
315 * Initialize the MAC subsystem, including appropriate SMP locks.
321 LIST_INIT(&mac_policy_list);
322 MAC_POLICY_LIST_LOCKINIT();
326 * For the purposes of modules that want to know if they were loaded
327 * "early", set the mac_late flag once we've processed modules either
328 * linked into the kernel, or loaded before the kernel startup.
338 * Allow MAC policy modules to register during boot, etc.
341 mac_policy_modevent(module_t mod, int type, void *data)
343 struct mac_policy_conf *mpc;
347 mpc = (struct mac_policy_conf *) data;
351 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
353 printf("mac_policy_modevent: can't load %s policy "
354 "after booting\n", mpc->mpc_name);
358 error = mac_policy_register(mpc);
361 /* Don't unregister the module if it was never registered. */
362 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
364 error = mac_policy_unregister(mpc);
376 mac_policy_register(struct mac_policy_conf *mpc)
378 struct mac_policy_conf *tmpc;
379 struct mac_policy_op_entry *mpe;
382 MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
383 M_MACOPVEC, M_WAITOK | M_ZERO);
384 for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
385 switch (mpe->mpe_constant) {
388 * Doesn't actually happen, but this allows checking
389 * that all enumerated values are handled.
393 mpc->mpc_ops->mpo_destroy =
397 mpc->mpc_ops->mpo_init =
401 mpc->mpc_ops->mpo_syscall =
404 case MAC_INIT_BPFDESC_LABEL:
405 mpc->mpc_ops->mpo_init_bpfdesc_label =
408 case MAC_INIT_CRED_LABEL:
409 mpc->mpc_ops->mpo_init_cred_label =
412 case MAC_INIT_DEVFSDIRENT_LABEL:
413 mpc->mpc_ops->mpo_init_devfsdirent_label =
416 case MAC_INIT_IFNET_LABEL:
417 mpc->mpc_ops->mpo_init_ifnet_label =
420 case MAC_INIT_IPQ_LABEL:
421 mpc->mpc_ops->mpo_init_ipq_label =
424 case MAC_INIT_MBUF_LABEL:
425 mpc->mpc_ops->mpo_init_mbuf_label =
428 case MAC_INIT_MOUNT_LABEL:
429 mpc->mpc_ops->mpo_init_mount_label =
432 case MAC_INIT_MOUNT_FS_LABEL:
433 mpc->mpc_ops->mpo_init_mount_fs_label =
436 case MAC_INIT_PIPE_LABEL:
437 mpc->mpc_ops->mpo_init_pipe_label =
440 case MAC_INIT_SOCKET_LABEL:
441 mpc->mpc_ops->mpo_init_socket_label =
444 case MAC_INIT_SOCKET_PEER_LABEL:
445 mpc->mpc_ops->mpo_init_socket_peer_label =
448 case MAC_INIT_TEMP_LABEL:
449 mpc->mpc_ops->mpo_init_temp_label =
452 case MAC_INIT_VNODE_LABEL:
453 mpc->mpc_ops->mpo_init_vnode_label =
456 case MAC_DESTROY_BPFDESC_LABEL:
457 mpc->mpc_ops->mpo_destroy_bpfdesc_label =
460 case MAC_DESTROY_CRED_LABEL:
461 mpc->mpc_ops->mpo_destroy_cred_label =
464 case MAC_DESTROY_DEVFSDIRENT_LABEL:
465 mpc->mpc_ops->mpo_destroy_devfsdirent_label =
468 case MAC_DESTROY_IFNET_LABEL:
469 mpc->mpc_ops->mpo_destroy_ifnet_label =
472 case MAC_DESTROY_IPQ_LABEL:
473 mpc->mpc_ops->mpo_destroy_ipq_label =
476 case MAC_DESTROY_MBUF_LABEL:
477 mpc->mpc_ops->mpo_destroy_mbuf_label =
480 case MAC_DESTROY_MOUNT_LABEL:
481 mpc->mpc_ops->mpo_destroy_mount_label =
484 case MAC_DESTROY_MOUNT_FS_LABEL:
485 mpc->mpc_ops->mpo_destroy_mount_fs_label =
488 case MAC_DESTROY_PIPE_LABEL:
489 mpc->mpc_ops->mpo_destroy_pipe_label =
492 case MAC_DESTROY_SOCKET_LABEL:
493 mpc->mpc_ops->mpo_destroy_socket_label =
496 case MAC_DESTROY_SOCKET_PEER_LABEL:
497 mpc->mpc_ops->mpo_destroy_socket_peer_label =
500 case MAC_DESTROY_TEMP_LABEL:
501 mpc->mpc_ops->mpo_destroy_temp_label =
504 case MAC_DESTROY_VNODE_LABEL:
505 mpc->mpc_ops->mpo_destroy_vnode_label =
508 case MAC_EXTERNALIZE:
509 mpc->mpc_ops->mpo_externalize =
512 case MAC_INTERNALIZE:
513 mpc->mpc_ops->mpo_internalize =
516 case MAC_CREATE_DEVFS_DEVICE:
517 mpc->mpc_ops->mpo_create_devfs_device =
520 case MAC_CREATE_DEVFS_DIRECTORY:
521 mpc->mpc_ops->mpo_create_devfs_directory =
524 case MAC_CREATE_DEVFS_SYMLINK:
525 mpc->mpc_ops->mpo_create_devfs_symlink =
528 case MAC_CREATE_DEVFS_VNODE:
529 mpc->mpc_ops->mpo_create_devfs_vnode =
532 case MAC_STDCREATEVNODE_EA:
533 mpc->mpc_ops->mpo_stdcreatevnode_ea =
536 case MAC_CREATE_VNODE:
537 mpc->mpc_ops->mpo_create_vnode =
540 case MAC_CREATE_MOUNT:
541 mpc->mpc_ops->mpo_create_mount =
544 case MAC_CREATE_ROOT_MOUNT:
545 mpc->mpc_ops->mpo_create_root_mount =
548 case MAC_RELABEL_VNODE:
549 mpc->mpc_ops->mpo_relabel_vnode =
552 case MAC_UPDATE_DEVFSDIRENT:
553 mpc->mpc_ops->mpo_update_devfsdirent =
556 case MAC_UPDATE_PROCFSVNODE:
557 mpc->mpc_ops->mpo_update_procfsvnode =
560 case MAC_UPDATE_VNODE_FROM_EXTATTR:
561 mpc->mpc_ops->mpo_update_vnode_from_extattr =
564 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
565 mpc->mpc_ops->mpo_update_vnode_from_externalized =
568 case MAC_UPDATE_VNODE_FROM_MOUNT:
569 mpc->mpc_ops->mpo_update_vnode_from_mount =
572 case MAC_CREATE_MBUF_FROM_SOCKET:
573 mpc->mpc_ops->mpo_create_mbuf_from_socket =
576 case MAC_CREATE_PIPE:
577 mpc->mpc_ops->mpo_create_pipe =
580 case MAC_CREATE_SOCKET:
581 mpc->mpc_ops->mpo_create_socket =
584 case MAC_CREATE_SOCKET_FROM_SOCKET:
585 mpc->mpc_ops->mpo_create_socket_from_socket =
588 case MAC_RELABEL_PIPE:
589 mpc->mpc_ops->mpo_relabel_pipe =
592 case MAC_RELABEL_SOCKET:
593 mpc->mpc_ops->mpo_relabel_socket =
596 case MAC_SET_SOCKET_PEER_FROM_MBUF:
597 mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
600 case MAC_SET_SOCKET_PEER_FROM_SOCKET:
601 mpc->mpc_ops->mpo_set_socket_peer_from_socket =
604 case MAC_CREATE_BPFDESC:
605 mpc->mpc_ops->mpo_create_bpfdesc =
608 case MAC_CREATE_DATAGRAM_FROM_IPQ:
609 mpc->mpc_ops->mpo_create_datagram_from_ipq =
612 case MAC_CREATE_FRAGMENT:
613 mpc->mpc_ops->mpo_create_fragment =
616 case MAC_CREATE_IFNET:
617 mpc->mpc_ops->mpo_create_ifnet =
621 mpc->mpc_ops->mpo_create_ipq =
624 case MAC_CREATE_MBUF_FROM_MBUF:
625 mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
628 case MAC_CREATE_MBUF_LINKLAYER:
629 mpc->mpc_ops->mpo_create_mbuf_linklayer =
632 case MAC_CREATE_MBUF_FROM_BPFDESC:
633 mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
636 case MAC_CREATE_MBUF_FROM_IFNET:
637 mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
640 case MAC_CREATE_MBUF_MULTICAST_ENCAP:
641 mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
644 case MAC_CREATE_MBUF_NETLAYER:
645 mpc->mpc_ops->mpo_create_mbuf_netlayer =
648 case MAC_FRAGMENT_MATCH:
649 mpc->mpc_ops->mpo_fragment_match =
652 case MAC_RELABEL_IFNET:
653 mpc->mpc_ops->mpo_relabel_ifnet =
657 mpc->mpc_ops->mpo_update_ipq =
660 case MAC_CREATE_CRED:
661 mpc->mpc_ops->mpo_create_cred =
664 case MAC_EXECVE_TRANSITION:
665 mpc->mpc_ops->mpo_execve_transition =
668 case MAC_EXECVE_WILL_TRANSITION:
669 mpc->mpc_ops->mpo_execve_will_transition =
672 case MAC_CREATE_PROC0:
673 mpc->mpc_ops->mpo_create_proc0 =
676 case MAC_CREATE_PROC1:
677 mpc->mpc_ops->mpo_create_proc1 =
680 case MAC_RELABEL_CRED:
681 mpc->mpc_ops->mpo_relabel_cred =
684 case MAC_THREAD_USERRET:
685 mpc->mpc_ops->mpo_thread_userret =
688 case MAC_CHECK_BPFDESC_RECEIVE:
689 mpc->mpc_ops->mpo_check_bpfdesc_receive =
692 case MAC_CHECK_CRED_RELABEL:
693 mpc->mpc_ops->mpo_check_cred_relabel =
696 case MAC_CHECK_CRED_VISIBLE:
697 mpc->mpc_ops->mpo_check_cred_visible =
700 case MAC_CHECK_IFNET_RELABEL:
701 mpc->mpc_ops->mpo_check_ifnet_relabel =
704 case MAC_CHECK_IFNET_TRANSMIT:
705 mpc->mpc_ops->mpo_check_ifnet_transmit =
708 case MAC_CHECK_MOUNT_STAT:
709 mpc->mpc_ops->mpo_check_mount_stat =
712 case MAC_CHECK_PIPE_IOCTL:
713 mpc->mpc_ops->mpo_check_pipe_ioctl =
716 case MAC_CHECK_PIPE_POLL:
717 mpc->mpc_ops->mpo_check_pipe_poll =
720 case MAC_CHECK_PIPE_READ:
721 mpc->mpc_ops->mpo_check_pipe_read =
724 case MAC_CHECK_PIPE_RELABEL:
725 mpc->mpc_ops->mpo_check_pipe_relabel =
728 case MAC_CHECK_PIPE_STAT:
729 mpc->mpc_ops->mpo_check_pipe_stat =
732 case MAC_CHECK_PIPE_WRITE:
733 mpc->mpc_ops->mpo_check_pipe_write =
736 case MAC_CHECK_PROC_DEBUG:
737 mpc->mpc_ops->mpo_check_proc_debug =
740 case MAC_CHECK_PROC_SCHED:
741 mpc->mpc_ops->mpo_check_proc_sched =
744 case MAC_CHECK_PROC_SIGNAL:
745 mpc->mpc_ops->mpo_check_proc_signal =
748 case MAC_CHECK_SOCKET_BIND:
749 mpc->mpc_ops->mpo_check_socket_bind =
752 case MAC_CHECK_SOCKET_CONNECT:
753 mpc->mpc_ops->mpo_check_socket_connect =
756 case MAC_CHECK_SOCKET_DELIVER:
757 mpc->mpc_ops->mpo_check_socket_deliver =
760 case MAC_CHECK_SOCKET_LISTEN:
761 mpc->mpc_ops->mpo_check_socket_listen =
764 case MAC_CHECK_SOCKET_RECEIVE:
765 mpc->mpc_ops->mpo_check_socket_receive =
768 case MAC_CHECK_SOCKET_RELABEL:
769 mpc->mpc_ops->mpo_check_socket_relabel =
772 case MAC_CHECK_SOCKET_SEND:
773 mpc->mpc_ops->mpo_check_socket_send =
776 case MAC_CHECK_SOCKET_VISIBLE:
777 mpc->mpc_ops->mpo_check_socket_visible =
780 case MAC_CHECK_VNODE_ACCESS:
781 mpc->mpc_ops->mpo_check_vnode_access =
784 case MAC_CHECK_VNODE_CHDIR:
785 mpc->mpc_ops->mpo_check_vnode_chdir =
788 case MAC_CHECK_VNODE_CHROOT:
789 mpc->mpc_ops->mpo_check_vnode_chroot =
792 case MAC_CHECK_VNODE_CREATE:
793 mpc->mpc_ops->mpo_check_vnode_create =
796 case MAC_CHECK_VNODE_DELETE:
797 mpc->mpc_ops->mpo_check_vnode_delete =
800 case MAC_CHECK_VNODE_DELETEACL:
801 mpc->mpc_ops->mpo_check_vnode_deleteacl =
804 case MAC_CHECK_VNODE_EXEC:
805 mpc->mpc_ops->mpo_check_vnode_exec =
808 case MAC_CHECK_VNODE_GETACL:
809 mpc->mpc_ops->mpo_check_vnode_getacl =
812 case MAC_CHECK_VNODE_GETEXTATTR:
813 mpc->mpc_ops->mpo_check_vnode_getextattr =
816 case MAC_CHECK_VNODE_LINK:
817 mpc->mpc_ops->mpo_check_vnode_link =
820 case MAC_CHECK_VNODE_LOOKUP:
821 mpc->mpc_ops->mpo_check_vnode_lookup =
824 case MAC_CHECK_VNODE_MMAP:
825 mpc->mpc_ops->mpo_check_vnode_mmap =
828 case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
829 mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
832 case MAC_CHECK_VNODE_MPROTECT:
833 mpc->mpc_ops->mpo_check_vnode_mprotect =
836 case MAC_CHECK_VNODE_OPEN:
837 mpc->mpc_ops->mpo_check_vnode_open =
840 case MAC_CHECK_VNODE_POLL:
841 mpc->mpc_ops->mpo_check_vnode_poll =
844 case MAC_CHECK_VNODE_READ:
845 mpc->mpc_ops->mpo_check_vnode_read =
848 case MAC_CHECK_VNODE_READDIR:
849 mpc->mpc_ops->mpo_check_vnode_readdir =
852 case MAC_CHECK_VNODE_READLINK:
853 mpc->mpc_ops->mpo_check_vnode_readlink =
856 case MAC_CHECK_VNODE_RELABEL:
857 mpc->mpc_ops->mpo_check_vnode_relabel =
860 case MAC_CHECK_VNODE_RENAME_FROM:
861 mpc->mpc_ops->mpo_check_vnode_rename_from =
864 case MAC_CHECK_VNODE_RENAME_TO:
865 mpc->mpc_ops->mpo_check_vnode_rename_to =
868 case MAC_CHECK_VNODE_REVOKE:
869 mpc->mpc_ops->mpo_check_vnode_revoke =
872 case MAC_CHECK_VNODE_SETACL:
873 mpc->mpc_ops->mpo_check_vnode_setacl =
876 case MAC_CHECK_VNODE_SETEXTATTR:
877 mpc->mpc_ops->mpo_check_vnode_setextattr =
880 case MAC_CHECK_VNODE_SETFLAGS:
881 mpc->mpc_ops->mpo_check_vnode_setflags =
884 case MAC_CHECK_VNODE_SETMODE:
885 mpc->mpc_ops->mpo_check_vnode_setmode =
888 case MAC_CHECK_VNODE_SETOWNER:
889 mpc->mpc_ops->mpo_check_vnode_setowner =
892 case MAC_CHECK_VNODE_SETUTIMES:
893 mpc->mpc_ops->mpo_check_vnode_setutimes =
896 case MAC_CHECK_VNODE_STAT:
897 mpc->mpc_ops->mpo_check_vnode_stat =
900 case MAC_CHECK_VNODE_WRITE:
901 mpc->mpc_ops->mpo_check_vnode_write =
906 printf("MAC policy `%s': unknown operation %d\n",
907 mpc->mpc_name, mpe->mpe_constant);
912 MAC_POLICY_LIST_LOCK();
913 if (mac_policy_list_busy > 0) {
914 MAC_POLICY_LIST_UNLOCK();
915 FREE(mpc->mpc_ops, M_MACOPVEC);
919 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
920 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
921 MAC_POLICY_LIST_UNLOCK();
922 FREE(mpc->mpc_ops, M_MACOPVEC);
927 if (mpc->mpc_field_off != NULL) {
928 slot = ffs(mac_policy_offsets_free);
930 MAC_POLICY_LIST_UNLOCK();
931 FREE(mpc->mpc_ops, M_MACOPVEC);
936 mac_policy_offsets_free &= ~(1 << slot);
937 *mpc->mpc_field_off = slot;
939 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
940 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
942 /* Per-policy initialization. */
943 if (mpc->mpc_ops->mpo_init != NULL)
944 (*(mpc->mpc_ops->mpo_init))(mpc);
945 MAC_POLICY_LIST_UNLOCK();
947 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
954 mac_policy_unregister(struct mac_policy_conf *mpc)
958 * If we fail the load, we may get a request to unload. Check
959 * to see if we did the run-time registration, and if not,
962 MAC_POLICY_LIST_LOCK();
963 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
964 MAC_POLICY_LIST_UNLOCK();
969 * Don't allow unloading modules with private data.
971 if (mpc->mpc_field_off != NULL) {
972 MAC_POLICY_LIST_UNLOCK();
977 * Only allow the unload to proceed if the module is unloadable
978 * by its own definition.
980 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
981 MAC_POLICY_LIST_UNLOCK();
985 * Right now, we EBUSY if the list is in use. In the future,
986 * for reliability reasons, we might want to sleep and wakeup
987 * later to try again.
989 if (mac_policy_list_busy > 0) {
990 MAC_POLICY_LIST_UNLOCK();
993 if (mpc->mpc_ops->mpo_destroy != NULL)
994 (*(mpc->mpc_ops->mpo_destroy))(mpc);
996 LIST_REMOVE(mpc, mpc_list);
997 MAC_POLICY_LIST_UNLOCK();
999 FREE(mpc->mpc_ops, M_MACOPVEC);
1000 mpc->mpc_ops = NULL;
1002 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
1009 * Define an error value precedence, and given two arguments, selects the
1010 * value with the higher precedence.
1013 error_select(int error1, int error2)
1016 /* Certain decision-making errors take top priority. */
1017 if (error1 == EDEADLK || error2 == EDEADLK)
1020 /* Invalid arguments should be reported where possible. */
1021 if (error1 == EINVAL || error2 == EINVAL)
1024 /* Precedence goes to "visibility", with both process and file. */
1025 if (error1 == ESRCH || error2 == ESRCH)
1028 if (error1 == ENOENT || error2 == ENOENT)
1031 /* Precedence goes to DAC/MAC protections. */
1032 if (error1 == EACCES || error2 == EACCES)
1035 /* Precedence goes to privilege. */
1036 if (error1 == EPERM || error2 == EPERM)
1039 /* Precedence goes to error over success; otherwise, arbitrary. */
1046 mac_init_label(struct label *label)
1049 bzero(label, sizeof(*label));
1050 label->l_flags = MAC_FLAG_INITIALIZED;
1054 mac_destroy_label(struct label *label)
1057 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
1058 ("destroying uninitialized label"));
1060 bzero(label, sizeof(*label));
1061 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
1065 mac_init_structmac(struct mac *mac)
1068 bzero(mac, sizeof(*mac));
1069 mac->m_macflags = MAC_FLAG_INITIALIZED;
1073 mac_init_bpfdesc(struct bpf_d *bpf_d)
1076 mac_init_label(&bpf_d->bd_label);
1077 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
1079 atomic_add_int(&nmacbpfdescs, 1);
1084 mac_init_cred(struct ucred *cr)
1087 mac_init_label(&cr->cr_label);
1088 MAC_PERFORM(init_cred_label, &cr->cr_label);
1090 atomic_add_int(&nmaccreds, 1);
1095 mac_init_devfsdirent(struct devfs_dirent *de)
1098 mac_init_label(&de->de_label);
1099 MAC_PERFORM(init_devfsdirent_label, &de->de_label);
1101 atomic_add_int(&nmacdevfsdirents, 1);
1106 mac_init_ifnet(struct ifnet *ifp)
1109 mac_init_label(&ifp->if_label);
1110 MAC_PERFORM(init_ifnet_label, &ifp->if_label);
1112 atomic_add_int(&nmacifnets, 1);
1117 mac_init_ipq(struct ipq *ipq)
1120 mac_init_label(&ipq->ipq_label);
1121 MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
1123 atomic_add_int(&nmacipqs, 1);
1128 mac_init_mbuf(struct mbuf *m, int flag)
1132 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf"));
1134 mac_init_label(&m->m_pkthdr.label);
1136 MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag);
1138 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
1139 mac_destroy_label(&m->m_pkthdr.label);
1144 atomic_add_int(&nmacmbufs, 1);
1150 mac_init_mount(struct mount *mp)
1153 mac_init_label(&mp->mnt_mntlabel);
1154 mac_init_label(&mp->mnt_fslabel);
1155 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
1156 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
1158 atomic_add_int(&nmacmounts, 1);
1163 mac_init_pipe(struct pipe *pipe)
1165 struct label *label;
1167 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
1168 mac_init_label(label);
1169 pipe->pipe_label = label;
1170 pipe->pipe_peer->pipe_label = label;
1171 MAC_PERFORM(init_pipe_label, pipe->pipe_label);
1173 atomic_add_int(&nmacpipes, 1);
1178 mac_init_socket_label(struct label *label, int flag)
1182 mac_init_label(label);
1184 MAC_CHECK(init_socket_label, label, flag);
1186 MAC_PERFORM(destroy_socket_label, label);
1187 mac_destroy_label(label);
1192 atomic_add_int(&nmacsockets, 1);
1199 mac_init_socket_peer_label(struct label *label, int flag)
1203 mac_init_label(label);
1205 MAC_CHECK(init_socket_peer_label, label, flag);
1207 MAC_PERFORM(destroy_socket_label, label);
1208 mac_destroy_label(label);
1215 mac_init_socket(struct socket *socket, int flag)
1219 error = mac_init_socket_label(&socket->so_label, flag);
1223 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
1225 mac_destroy_socket_label(&socket->so_label);
1231 mac_init_temp(struct label *label)
1234 mac_init_label(label);
1235 MAC_PERFORM(init_temp_label, label);
1237 atomic_add_int(&nmactemp, 1);
1242 mac_init_vnode(struct vnode *vp)
1245 mac_init_label(&vp->v_label);
1246 MAC_PERFORM(init_vnode_label, &vp->v_label);
1248 atomic_add_int(&nmacvnodes, 1);
1253 mac_destroy_bpfdesc(struct bpf_d *bpf_d)
1256 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
1257 mac_destroy_label(&bpf_d->bd_label);
1259 atomic_subtract_int(&nmacbpfdescs, 1);
1264 mac_destroy_cred(struct ucred *cr)
1267 MAC_PERFORM(destroy_cred_label, &cr->cr_label);
1268 mac_destroy_label(&cr->cr_label);
1270 atomic_subtract_int(&nmaccreds, 1);
1275 mac_destroy_devfsdirent(struct devfs_dirent *de)
1278 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
1279 mac_destroy_label(&de->de_label);
1281 atomic_subtract_int(&nmacdevfsdirents, 1);
1286 mac_destroy_ifnet(struct ifnet *ifp)
1289 MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
1290 mac_destroy_label(&ifp->if_label);
1292 atomic_subtract_int(&nmacifnets, 1);
1297 mac_destroy_ipq(struct ipq *ipq)
1300 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
1301 mac_destroy_label(&ipq->ipq_label);
1303 atomic_subtract_int(&nmacipqs, 1);
1308 mac_destroy_mbuf(struct mbuf *m)
1311 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
1312 mac_destroy_label(&m->m_pkthdr.label);
1314 atomic_subtract_int(&nmacmbufs, 1);
1319 mac_destroy_mount(struct mount *mp)
1322 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
1323 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
1324 mac_destroy_label(&mp->mnt_fslabel);
1325 mac_destroy_label(&mp->mnt_mntlabel);
1327 atomic_subtract_int(&nmacmounts, 1);
1332 mac_destroy_pipe(struct pipe *pipe)
1335 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
1336 mac_destroy_label(pipe->pipe_label);
1337 free(pipe->pipe_label, M_MACPIPELABEL);
1339 atomic_subtract_int(&nmacpipes, 1);
1344 mac_destroy_socket_label(struct label *label)
1347 MAC_PERFORM(destroy_socket_label, label);
1348 mac_destroy_label(label);
1350 atomic_subtract_int(&nmacsockets, 1);
1355 mac_destroy_socket_peer_label(struct label *label)
1358 MAC_PERFORM(destroy_socket_peer_label, label);
1359 mac_destroy_label(label);
1363 mac_destroy_socket(struct socket *socket)
1366 mac_destroy_socket_label(&socket->so_label);
1367 mac_destroy_socket_peer_label(&socket->so_peerlabel);
1371 mac_destroy_temp(struct label *label)
1374 MAC_PERFORM(destroy_temp_label, label);
1375 mac_destroy_label(label);
1377 atomic_subtract_int(&nmactemp, 1);
1382 mac_destroy_vnode(struct vnode *vp)
1385 MAC_PERFORM(destroy_vnode_label, &vp->v_label);
1386 mac_destroy_label(&vp->v_label);
1388 atomic_subtract_int(&nmacvnodes, 1);
1393 mac_externalize(struct label *label, struct mac *mac)
1397 mac_init_structmac(mac);
1398 MAC_CHECK(externalize, label, mac);
1404 mac_internalize(struct label *label, struct mac *mac)
1408 mac_init_temp(label);
1409 MAC_CHECK(internalize, label, mac);
1411 mac_destroy_temp(label);
1417 * Initialize MAC label for the first kernel process, from which other
1418 * kernel processes and threads are spawned.
1421 mac_create_proc0(struct ucred *cred)
1424 MAC_PERFORM(create_proc0, cred);
1428 * Initialize MAC label for the first userland process, from which other
1429 * userland processes and threads are spawned.
1432 mac_create_proc1(struct ucred *cred)
1435 MAC_PERFORM(create_proc1, cred);
1439 mac_thread_userret(struct thread *td)
1442 MAC_PERFORM(thread_userret, td);
1446 * When a new process is created, its label must be initialized. Generally,
1447 * this involves inheritence from the parent process, modulo possible
1448 * deltas. This function allows that processing to take place.
1451 mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
1454 MAC_PERFORM(create_cred, parent_cred, child_cred);
1458 mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp)
1461 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label);
1465 mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
1468 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
1472 * Support callout for policies that manage their own externalization
1473 * using extended attributes.
1476 mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
1480 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
1487 * Given an externalized mac label, internalize it and stamp it on a
1491 mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac)
1495 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
1501 * Call out to individual policies to update the label in a vnode from
1505 mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
1508 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
1511 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
1512 if (mac_cache_fslabel_in_vnode)
1513 vp->v_vflag |= VV_CACHEDLABEL;
1517 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
1518 * to store label data. Can be referenced by filesystems supporting
1519 * extended attributes.
1522 vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
1524 struct vnode *vp = ap->a_vp;
1528 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
1531 * Call out to external policies first. Order doesn't really
1532 * matter, as long as failure of one assures failure of all.
1534 error = mac_update_vnode_from_extattr(vp, vp->v_mount);
1538 buflen = sizeof(extmac);
1539 error = vn_extattr_get(vp, IO_NODELOCKED,
1540 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
1541 (char *)&extmac, curthread);
1549 * Use the label from the mount point.
1551 mac_update_vnode_from_mount(vp, vp->v_mount);
1556 /* Fail horribly. */
1560 if (buflen != sizeof(extmac))
1561 error = EPERM; /* Fail very closed. */
1563 error = mac_update_vnode_from_externalized(vp, &extmac);
1565 vp->v_vflag |= VV_CACHEDLABEL;
1569 printf("Corrupted label on %s",
1570 vp->v_mount->mnt_stat.f_mntonname);
1571 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
1572 printf(" inum %ld", va.va_fileid);
1574 if (mac_debug_label_fallback) {
1575 printf(", falling back.\n");
1576 mac_update_vnode_from_mount(vp, vp->v_mount);
1591 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle
1592 * the labeling activity outselves. Filesystems should be careful not
1593 * to change their minds regarding whether they support vop_refreshlabel()
1594 * for a vnode or not. Don't cache the vnode here, allow the file
1595 * system code to determine if it's safe to cache. If we update from
1596 * the mount, don't cache since a change to the mount label should affect
1600 vn_refreshlabel(struct vnode *vp, struct ucred *cred)
1604 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
1606 if (vp->v_mount == NULL) {
1608 Eventually, we probably want to special-case refreshing
1609 of deadfs vnodes, and if there's a lock-free race somewhere,
1610 that case might be handled here.
1612 mac_update_vnode_deadfs(vp);
1615 /* printf("vn_refreshlabel: null v_mount\n"); */
1616 if (vp->v_type != VNON)
1618 "vn_refreshlabel: null v_mount with non-VNON\n");
1622 if (vp->v_vflag & VV_CACHEDLABEL) {
1623 mac_vnode_label_cache_hits++;
1626 mac_vnode_label_cache_misses++;
1628 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1629 mac_update_vnode_from_mount(vp, vp->v_mount);
1633 error = VOP_REFRESHLABEL(vp, cred, curthread);
1637 * If labels are not supported on this vnode, fall back to
1638 * the label in the mount and propagate it to the vnode.
1639 * There should probably be some sort of policy/flag/decision
1642 mac_update_vnode_from_mount(vp, vp->v_mount);
1650 * Helper function for file systems using the vop_std*_ea() calls. This
1651 * function must be called after EA service is available for the vnode,
1652 * but before it's hooked up to the namespace so that the node persists
1653 * if there's a crash, or before it can be accessed. On successful
1654 * commit of the label to disk (etc), do cache the label.
1657 vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
1662 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
1663 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1664 mac_update_vnode_from_mount(tvp, tvp->v_mount);
1666 error = vn_refreshlabel(dvp, cred);
1671 * Stick the label in the vnode. Then try to write to
1672 * disk. If we fail, return a failure to abort the
1673 * create operation. Really, this failure shouldn't
1674 * happen except in fairly unusual circumstances (out
1677 mac_create_vnode(cred, dvp, tvp);
1679 error = mac_stdcreatevnode_ea(tvp);
1684 * XXX: Eventually this will go away and all policies will
1685 * directly manage their extended attributes.
1687 error = mac_externalize(&tvp->v_label, &extmac);
1691 error = vn_extattr_set(tvp, IO_NODELOCKED,
1692 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
1693 sizeof(extmac), (char *)&extmac, curthread);
1695 tvp->v_vflag |= VV_CACHEDLABEL;
1699 * In theory, we could have fall-back behavior here.
1700 * It would probably be incorrect.
1711 mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
1715 ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
1717 error = vn_refreshlabel(vp, old);
1719 printf("mac_execve_transition: vn_refreshlabel returned %d\n",
1721 printf("mac_execve_transition: using old vnode label\n");
1724 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
1728 mac_execve_will_transition(struct ucred *old, struct vnode *vp)
1732 error = vn_refreshlabel(vp, old);
1737 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
1743 mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags)
1747 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
1749 if (!mac_enforce_fs)
1752 error = vn_refreshlabel(vp, cred);
1756 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags);
1761 mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
1765 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
1767 if (!mac_enforce_fs)
1770 error = vn_refreshlabel(dvp, cred);
1774 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
1779 mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
1783 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
1785 if (!mac_enforce_fs)
1788 error = vn_refreshlabel(dvp, cred);
1792 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
1797 mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
1798 struct componentname *cnp, struct vattr *vap)
1802 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
1804 if (!mac_enforce_fs)
1807 error = vn_refreshlabel(dvp, cred);
1811 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
1816 mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
1817 struct componentname *cnp)
1821 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
1822 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
1824 if (!mac_enforce_fs)
1827 error = vn_refreshlabel(dvp, cred);
1830 error = vn_refreshlabel(vp, cred);
1834 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
1840 mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
1845 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
1847 if (!mac_enforce_fs)
1850 error = vn_refreshlabel(vp, cred);
1854 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
1859 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
1863 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
1865 if (!mac_enforce_process && !mac_enforce_fs)
1868 error = vn_refreshlabel(vp, cred);
1871 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
1877 mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
1881 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
1883 if (!mac_enforce_fs)
1886 error = vn_refreshlabel(vp, cred);
1890 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
1895 mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
1896 int attrnamespace, const char *name, struct uio *uio)
1900 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
1902 if (!mac_enforce_fs)
1905 error = vn_refreshlabel(vp, cred);
1909 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
1910 attrnamespace, name, uio);
1915 mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
1916 struct vnode *vp, struct componentname *cnp)
1921 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
1922 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
1924 if (!mac_enforce_fs)
1927 error = vn_refreshlabel(dvp, cred);
1931 error = vn_refreshlabel(vp, cred);
1935 MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
1941 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
1942 struct componentname *cnp)
1946 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
1948 if (!mac_enforce_fs)
1951 error = vn_refreshlabel(dvp, cred);
1955 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
1960 mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
1964 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
1966 if (!mac_enforce_fs || !mac_enforce_vm)
1969 error = vn_refreshlabel(vp, cred);
1973 MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
1978 mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
1982 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
1984 if (!mac_enforce_fs || !mac_enforce_vm)
1987 MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
1994 mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
1998 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
2000 if (!mac_enforce_fs || !mac_enforce_vm)
2003 error = vn_refreshlabel(vp, cred);
2007 MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
2012 mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
2016 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
2018 if (!mac_enforce_fs)
2021 error = vn_refreshlabel(vp, cred);
2025 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
2030 mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2035 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
2037 if (!mac_enforce_fs)
2040 error = vn_refreshlabel(vp, active_cred);
2044 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
2051 mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2056 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
2058 if (!mac_enforce_fs)
2061 error = vn_refreshlabel(vp, active_cred);
2065 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
2072 mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
2076 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
2078 if (!mac_enforce_fs)
2081 error = vn_refreshlabel(dvp, cred);
2085 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
2090 mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
2094 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
2096 if (!mac_enforce_fs)
2099 error = vn_refreshlabel(vp, cred);
2103 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
2108 mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2109 struct label *newlabel)
2113 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
2115 error = vn_refreshlabel(vp, cred);
2119 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
2125 mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2126 struct vnode *vp, struct componentname *cnp)
2130 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
2131 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
2133 if (!mac_enforce_fs)
2136 error = vn_refreshlabel(dvp, cred);
2139 error = vn_refreshlabel(vp, cred);
2143 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
2149 mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2150 struct vnode *vp, int samedir, struct componentname *cnp)
2154 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
2155 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
2157 if (!mac_enforce_fs)
2160 error = vn_refreshlabel(dvp, cred);
2164 error = vn_refreshlabel(vp, cred);
2168 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
2169 vp != NULL ? &vp->v_label : NULL, samedir, cnp);
2174 mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
2178 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
2180 if (!mac_enforce_fs)
2183 error = vn_refreshlabel(vp, cred);
2187 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
2192 mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
2197 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
2199 if (!mac_enforce_fs)
2202 error = vn_refreshlabel(vp, cred);
2206 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
2211 mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2212 int attrnamespace, const char *name, struct uio *uio)
2216 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
2218 if (!mac_enforce_fs)
2221 error = vn_refreshlabel(vp, cred);
2225 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
2226 attrnamespace, name, uio);
2231 mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
2235 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
2237 if (!mac_enforce_fs)
2240 error = vn_refreshlabel(vp, cred);
2244 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
2249 mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
2253 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
2255 if (!mac_enforce_fs)
2258 error = vn_refreshlabel(vp, cred);
2262 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
2267 mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
2272 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
2274 if (!mac_enforce_fs)
2277 error = vn_refreshlabel(vp, cred);
2281 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
2286 mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2287 struct timespec atime, struct timespec mtime)
2291 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
2293 if (!mac_enforce_fs)
2296 error = vn_refreshlabel(vp, cred);
2300 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
2306 mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2311 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
2313 if (!mac_enforce_fs)
2316 error = vn_refreshlabel(vp, active_cred);
2320 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
2326 mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
2331 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
2333 if (!mac_enforce_fs)
2336 error = vn_refreshlabel(vp, active_cred);
2340 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
2347 * When relabeling a process, call out to the policies for the maximum
2348 * permission allowed for each object type we know about in its
2349 * memory space, and revoke access (in the least surprising ways we
2350 * know) when necessary. The process lock is not held here.
2353 mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
2356 /* XXX freeze all other threads */
2357 mac_cred_mmapped_drop_perms_recurse(td, cred,
2358 &td->td_proc->p_vmspace->vm_map);
2359 /* XXX allow other threads to continue */
2362 static __inline const char *
2363 prot2str(vm_prot_t prot)
2366 switch (prot & VM_PROT_ALL) {
2369 case VM_PROT_READ | VM_PROT_WRITE:
2371 case VM_PROT_READ | VM_PROT_EXECUTE:
2373 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE:
2377 case VM_PROT_EXECUTE:
2379 case VM_PROT_WRITE | VM_PROT_EXECUTE:
2387 mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
2390 struct vm_map_entry *vme;
2392 vm_prot_t revokeperms;
2394 vm_ooffset_t offset;
2397 if (!mac_mmap_revocation)
2400 vm_map_lock_read(map);
2401 for (vme = map->header.next; vme != &map->header; vme = vme->next) {
2402 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
2403 mac_cred_mmapped_drop_perms_recurse(td, cred,
2404 vme->object.sub_map);
2408 * Skip over entries that obviously are not shared.
2410 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) ||
2411 !vme->max_protection)
2414 * Drill down to the deepest backing object.
2416 offset = vme->offset;
2417 object = vme->object.vm_object;
2420 while (object->backing_object != NULL) {
2421 object = object->backing_object;
2422 offset += object->backing_object_offset;
2425 * At the moment, vm_maps and objects aren't considered
2426 * by the MAC system, so only things with backing by a
2427 * normal object (read: vnodes) are checked.
2429 if (object->type != OBJT_VNODE)
2431 vp = (struct vnode *)object->handle;
2432 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2433 result = vme->max_protection;
2434 mac_check_vnode_mmap_downgrade(cred, vp, &result);
2435 VOP_UNLOCK(vp, 0, td);
2437 * Find out what maximum protection we may be allowing
2438 * now but a policy needs to get removed.
2440 revokeperms = vme->max_protection & ~result;
2443 printf("pid %ld: revoking %s perms from %#lx:%ld "
2444 "(max %s/cur %s)\n", (long)td->td_proc->p_pid,
2445 prot2str(revokeperms), (u_long)vme->start,
2446 (long)(vme->end - vme->start),
2447 prot2str(vme->max_protection), prot2str(vme->protection));
2448 vm_map_lock_upgrade(map);
2450 * This is the really simple case: if a map has more
2451 * max_protection than is allowed, but it's not being
2452 * actually used (that is, the current protection is
2453 * still allowed), we can just wipe it out and do
2456 if ((vme->protection & revokeperms) == 0) {
2457 vme->max_protection -= revokeperms;
2459 if (revokeperms & VM_PROT_WRITE) {
2461 * In the more complicated case, flush out all
2462 * pending changes to the object then turn it
2465 vm_object_reference(object);
2466 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2467 vm_object_page_clean(object,
2469 OFF_TO_IDX(offset + vme->end - vme->start +
2472 VOP_UNLOCK(vp, 0, td);
2473 vm_object_deallocate(object);
2475 * Why bother if there's no read permissions
2476 * anymore? For the rest, we need to leave
2477 * the write permissions on for COW, or
2478 * remove them entirely if configured to.
2480 if (!mac_mmap_revocation_via_cow) {
2481 vme->max_protection &= ~VM_PROT_WRITE;
2482 vme->protection &= ~VM_PROT_WRITE;
2483 } if ((revokeperms & VM_PROT_READ) == 0)
2484 vme->eflags |= MAP_ENTRY_COW |
2485 MAP_ENTRY_NEEDS_COPY;
2487 if (revokeperms & VM_PROT_EXECUTE) {
2488 vme->max_protection &= ~VM_PROT_EXECUTE;
2489 vme->protection &= ~VM_PROT_EXECUTE;
2491 if (revokeperms & VM_PROT_READ) {
2492 vme->max_protection = 0;
2493 vme->protection = 0;
2495 pmap_protect(map->pmap, vme->start, vme->end,
2496 vme->protection & ~revokeperms);
2497 vm_map_simplify_entry(map, vme);
2499 vm_map_lock_downgrade(map);
2501 vm_map_unlock_read(map);
2505 * When the subject's label changes, it may require revocation of privilege
2506 * to mapped objects. This can't be done on-the-fly later with a unified
2510 mac_relabel_cred(struct ucred *cred, struct label *newlabel)
2513 MAC_PERFORM(relabel_cred, cred, newlabel);
2517 mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
2520 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
2524 mac_create_ifnet(struct ifnet *ifnet)
2527 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
2531 mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
2534 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
2538 mac_create_socket(struct ucred *cred, struct socket *socket)
2541 MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
2545 mac_create_pipe(struct ucred *cred, struct pipe *pipe)
2548 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label);
2552 mac_create_socket_from_socket(struct socket *oldsocket,
2553 struct socket *newsocket)
2556 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
2557 newsocket, &newsocket->so_label);
2561 mac_relabel_socket(struct ucred *cred, struct socket *socket,
2562 struct label *newlabel)
2565 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
2569 mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel)
2572 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel);
2576 mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
2579 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label,
2580 socket, &socket->so_peerlabel);
2584 mac_set_socket_peer_from_socket(struct socket *oldsocket,
2585 struct socket *newsocket)
2588 MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
2589 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
2593 mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
2596 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
2597 datagram, &datagram->m_pkthdr.label);
2601 mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
2604 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label,
2605 fragment, &fragment->m_pkthdr.label);
2609 mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
2612 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2617 mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2620 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label,
2621 newmbuf, &newmbuf->m_pkthdr.label);
2625 mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
2628 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
2629 &mbuf->m_pkthdr.label);
2633 mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
2636 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
2637 &mbuf->m_pkthdr.label);
2641 mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
2644 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
2645 &mbuf->m_pkthdr.label);
2649 mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
2650 struct mbuf *newmbuf)
2653 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf,
2654 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf,
2655 &newmbuf->m_pkthdr.label);
2659 mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2662 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label,
2663 newmbuf, &newmbuf->m_pkthdr.label);
2667 mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
2672 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label,
2673 ipq, &ipq->ipq_label);
2679 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
2682 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2687 mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
2690 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
2691 &mbuf->m_pkthdr.label);
2695 mac_create_mount(struct ucred *cred, struct mount *mp)
2698 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
2703 mac_create_root_mount(struct ucred *cred, struct mount *mp)
2706 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
2711 mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
2715 if (!mac_enforce_network)
2718 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
2725 mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
2729 MAC_CHECK(check_cred_relabel, cred, newlabel);
2735 mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
2739 if (!mac_enforce_process)
2742 MAC_CHECK(check_cred_visible, u1, u2);
2748 mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
2752 if (!mac_enforce_network)
2755 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr"));
2756 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED))
2757 printf("%s%d: not initialized\n", ifnet->if_name,
2760 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
2761 &mbuf->m_pkthdr.label);
2767 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
2771 if (!mac_enforce_fs)
2774 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
2780 mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
2785 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
2787 if (!mac_enforce_pipe)
2790 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data);
2796 mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
2800 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
2802 if (!mac_enforce_pipe)
2805 MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
2811 mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
2815 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
2817 if (!mac_enforce_pipe)
2820 MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
2826 mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
2827 struct label *newlabel)
2831 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
2833 if (!mac_enforce_pipe)
2836 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel);
2842 mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
2846 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
2848 if (!mac_enforce_pipe)
2851 MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
2857 mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
2861 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
2863 if (!mac_enforce_pipe)
2866 MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
2872 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
2876 PROC_LOCK_ASSERT(proc, MA_OWNED);
2878 if (!mac_enforce_process)
2881 MAC_CHECK(check_proc_debug, cred, proc);
2887 mac_check_proc_sched(struct ucred *cred, struct proc *proc)
2891 PROC_LOCK_ASSERT(proc, MA_OWNED);
2893 if (!mac_enforce_process)
2896 MAC_CHECK(check_proc_sched, cred, proc);
2902 mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
2906 PROC_LOCK_ASSERT(proc, MA_OWNED);
2908 if (!mac_enforce_process)
2911 MAC_CHECK(check_proc_signal, cred, proc, signum);
2917 mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
2918 struct sockaddr *sockaddr)
2922 if (!mac_enforce_socket)
2925 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
2932 mac_check_socket_connect(struct ucred *cred, struct socket *socket,
2933 struct sockaddr *sockaddr)
2937 if (!mac_enforce_socket)
2940 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
2947 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
2951 if (!mac_enforce_socket)
2954 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
2955 &mbuf->m_pkthdr.label);
2961 mac_check_socket_listen(struct ucred *cred, struct socket *socket)
2965 if (!mac_enforce_socket)
2968 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
2973 mac_check_socket_receive(struct ucred *cred, struct socket *so)
2977 if (!mac_enforce_socket)
2980 MAC_CHECK(check_socket_receive, cred, so, &so->so_label);
2986 mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
2987 struct label *newlabel)
2991 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
2998 mac_check_socket_send(struct ucred *cred, struct socket *so)
3002 if (!mac_enforce_socket)
3005 MAC_CHECK(check_socket_send, cred, so, &so->so_label);
3011 mac_check_socket_visible(struct ucred *cred, struct socket *socket)
3015 if (!mac_enforce_socket)
3018 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
3024 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
3025 struct ifnet *ifnet)
3030 error = mac_externalize(&ifnet->if_label, &label);
3034 return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label)));
3038 mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
3039 struct ifnet *ifnet)
3041 struct mac newlabel;
3042 struct label intlabel;
3045 error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel));
3049 error = mac_internalize(&intlabel, &newlabel);
3054 * XXX: Note that this is a redundant privilege check, since
3055 * policies impose this check themselves if required by the
3056 * policy. Eventually, this should go away.
3058 error = suser_cred(cred, 0);
3062 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
3067 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
3070 mac_destroy_temp(&intlabel);
3075 mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp)
3078 MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label);
3082 mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
3085 MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
3089 mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
3090 struct devfs_dirent *de)
3093 MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
3098 mac_stdcreatevnode_ea(struct vnode *vp)
3102 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label);
3108 mac_create_devfs_directory(char *dirname, int dirnamelen,
3109 struct devfs_dirent *de)
3112 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de,
3117 * When a new vnode is created, this call will initialize its label.
3120 mac_create_vnode(struct ucred *cred, struct vnode *parent,
3121 struct vnode *child)
3125 ASSERT_VOP_LOCKED(parent, "mac_create_vnode");
3126 ASSERT_VOP_LOCKED(child, "mac_create_vnode");
3128 error = vn_refreshlabel(parent, cred);
3130 printf("mac_create_vnode: vn_refreshlabel returned %d\n",
3132 printf("mac_create_vnode: using old vnode label\n");
3135 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child,
3140 mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
3143 struct label intlabel;
3146 error = mac_internalize(&intlabel, extmac);
3150 mac_check_socket_relabel(cred, so, &intlabel);
3152 mac_destroy_temp(&intlabel);
3156 mac_relabel_socket(cred, so, &intlabel);
3158 mac_destroy_temp(&intlabel);
3163 mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label)
3167 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3169 error = mac_check_pipe_relabel(cred, pipe, label);
3173 mac_relabel_pipe(cred, pipe, label);
3179 mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
3183 return (mac_externalize(&so->so_label, extmac));
3187 mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
3191 return (mac_externalize(&so->so_peerlabel, extmac));
3195 * Implementation of VOP_SETLABEL() that relies on extended attributes
3196 * to store label data. Can be referenced by filesystems supporting
3197 * extended attributes.
3200 vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
3202 struct vnode *vp = ap->a_vp;
3203 struct label *intlabel = ap->a_label;
3207 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
3210 * XXX: Eventually call out to EA check/set calls here.
3211 * Be particularly careful to avoid race conditions,
3212 * consistency problems, and stability problems when
3213 * dealing with multiple EAs. In particular, we require
3214 * the ability to write multiple EAs on the same file in
3215 * a single transaction, which the current EA interface
3219 error = mac_externalize(intlabel, &extmac);
3223 error = vn_extattr_set(vp, IO_NODELOCKED,
3224 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
3225 sizeof(extmac), (char *)&extmac, curthread);
3229 mac_relabel_vnode(ap->a_cred, vp, intlabel);
3231 vp->v_vflag |= VV_CACHEDLABEL;
3237 vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
3241 if (vp->v_mount == NULL) {
3242 /* printf("vn_setlabel: null v_mount\n"); */
3243 if (vp->v_type != VNON)
3244 printf("vn_setlabel: null v_mount with non-VNON\n");
3248 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
3249 return (EOPNOTSUPP);
3252 * Multi-phase commit. First check the policies to confirm the
3253 * change is OK. Then commit via the filesystem. Finally,
3254 * update the actual vnode label. Question: maybe the filesystem
3255 * should update the vnode at the end as part of VOP_SETLABEL()?
3257 error = mac_check_vnode_relabel(cred, vp, intlabel);
3262 * VADMIN provides the opportunity for the filesystem to make
3263 * decisions about who is and is not able to modify labels
3264 * and protections on files. This might not be right. We can't
3265 * assume VOP_SETLABEL() will do it, because we might implement
3266 * that as part of vop_stdsetlabel_ea().
3268 error = VOP_ACCESS(vp, VADMIN, cred, curthread);
3272 error = VOP_SETLABEL(vp, intlabel, cred, curthread);
3283 __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
3288 error = mac_externalize(&td->td_ucred->cr_label, &extmac);
3290 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3299 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
3301 struct ucred *newcred, *oldcred;
3304 struct label intlabel;
3307 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3311 error = mac_internalize(&intlabel, &extmac);
3319 oldcred = p->p_ucred;
3321 error = mac_check_cred_relabel(oldcred, &intlabel);
3324 mac_destroy_temp(&intlabel);
3330 crcopy(newcred, oldcred);
3331 mac_relabel_cred(newcred, &intlabel);
3332 p->p_ucred = newcred;
3335 * Grab additional reference for use while revoking mmaps, prior
3336 * to releasing the proc lock and sharing the cred.
3342 mac_cred_mmapped_drop_perms(td, newcred);
3345 crfree(newcred); /* Free revocation reference. */
3347 mac_destroy_temp(&intlabel);
3355 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
3365 error = fget(td, SCARG(uap, fd), &fp);
3369 switch (fp->f_type) {
3372 vp = (struct vnode *)fp->f_data;
3374 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
3375 error = vn_refreshlabel(vp, td->td_ucred);
3377 error = mac_externalize(&vp->v_label, &extmac);
3378 VOP_UNLOCK(vp, 0, td);
3381 pipe = (struct pipe *)fp->f_data;
3382 error = mac_externalize(pipe->pipe_label, &extmac);
3389 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3402 __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
3404 struct nameidata nd;
3409 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE,
3410 SCARG(uap, path_p), td);
3415 error = vn_refreshlabel(nd.ni_vp, td->td_ucred);
3417 error = mac_externalize(&nd.ni_vp->v_label, &extmac);
3422 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3433 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
3437 struct label intlabel;
3444 error = fget(td, SCARG(uap, fd), &fp);
3448 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3452 error = mac_internalize(&intlabel, &extmac);
3456 switch (fp->f_type) {
3459 vp = (struct vnode *)fp->f_data;
3460 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
3464 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
3465 error = vn_setlabel(vp, &intlabel, td->td_ucred);
3466 VOP_UNLOCK(vp, 0, td);
3467 vn_finished_write(mp);
3468 mac_destroy_temp(&intlabel);
3471 pipe = (struct pipe *)fp->f_data;
3473 error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel);
3491 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
3493 struct nameidata nd;
3495 struct label intlabel;
3501 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3505 error = mac_internalize(&intlabel, &extmac);
3509 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE,
3510 SCARG(uap, path_p), td);
3514 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
3518 error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred);
3520 vn_finished_write(mp);
3522 mac_destroy_temp(&intlabel);
3530 mac_syscall(struct thread *td, struct mac_syscall_args *uap)
3532 struct mac_policy_conf *mpc;
3533 char target[MAC_MAX_POLICY_NAME];
3536 error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL);
3541 MAC_POLICY_LIST_BUSY();
3542 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
3543 if (strcmp(mpc->mpc_name, target) == 0 &&
3544 mpc->mpc_ops->mpo_syscall != NULL) {
3545 error = mpc->mpc_ops->mpo_syscall(td,
3546 SCARG(uap, call), SCARG(uap, arg));
3552 MAC_POLICY_LIST_UNBUSY();
3556 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
3557 SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
3562 __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
3569 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
3576 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
3583 __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
3590 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
3597 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
3604 mac_syscall(struct thread *td, struct mac_syscall_args *uap)
projects / FreeBSD / FreeBSD.git / blob